FKIE_CVE-2026-2375

Vulnerability from fkie_nvd - Published: 2026-03-21 04:16 - Updated: 2026-04-22 21:32
Severity
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace's vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active.
References
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/AuthTrails.php#L80
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/RegisterAuth.php#L108
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/0a4521af-692a-4a84-ba9b-1904a42786c1?source=cve
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The App Builder \u2013 Create Native Android \u0026 iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subscriber` and `customer`, and assigning it directly via `wp_insert_user()` without integrating with WCFM Marketplace\u0027s vendor approval workflow. This makes it possible for unauthenticated attackers to register an account with the `wcfm_vendor` role by supplying the `role` parameter in the `/wp-json/app-builder/v1/register` REST API endpoint, bypassing the standard WCFM vendor approval process and immediately gaining vendor-level privileges (product management, order access, store management) on sites where WCFM Marketplace is active."
    },
    {
      "lang": "es",
      "value": "El plugin App Builder \u2013 Create Native Android \u0026amp; iOS Apps On The Flight para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 5.5.10, inclusive. Esto se debe a que la funci\u00f3n \u0027verify_role()\u0027 en \u0027AuthTrails.php\u0027 incluye expl\u00edcitamente el rol \u0027wcfm_vendor\u0027 junto con \u0027subscriber\u0027 y \u0027customer\u0027 en una lista blanca, y lo asigna directamente a trav\u00e9s de \u0027wp_insert_user()\u0027 sin integrarse con el flujo de trabajo de aprobaci\u00f3n de proveedores de WCFM Marketplace. Esto permite a atacantes no autenticados registrar una cuenta con el rol \u0027wcfm_vendor\u0027 al proporcionar el par\u00e1metro \u0027role\u0027 en el endpoint de la API REST \u0027/wp-json/app-builder/v1/register\u0027, eludiendo el proceso est\u00e1ndar de aprobaci\u00f3n de proveedores de WCFM y obteniendo inmediatamente privilegios de nivel de proveedor (gesti\u00f3n de productos, acceso a pedidos, gesti\u00f3n de la tienda) en sitios donde WCFM Marketplace est\u00e1 activo."
    }
  ],
  "id": "CVE-2026-2375",
  "lastModified": "2026-04-22T21:32:08.360",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-21T04:16:58.727",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/AuthTrails.php#L80"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/RegisterAuth.php#L108"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a4521af-692a-4a84-ba9b-1904a42786c1?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.